Alleged Babuk ransomware gang leader ‘Wazawaka’ indicted, sanctioned by US
The U.S. government on Tuesday indicted and sanctioned Russia-based hacker Mikhail Matveev on accusations of running the Babuk cybercrime gang and being a “key actor in the Russian ransomware ecosystem.”
Federal prosecutors in New Jersey and Washington, D.C., accused Matveev of participating in conspiracies to deploy the LockBit, Babuk and Hive ransomware variants and transmitting “ransom demands in connection with each.”
The Treasury Department added Matveev, known as “Wazawaka,” to its Specially Designated Nationals list for “his role in launching cyberattacks against U.S. law enforcement, businesses, and critical infrastructure.”
The State Department posted an award of up to $10 million for information that leads to his capture or conviction, the standard amount for major cybercrime suspects.
“Matveev has been vocal about his illegal activities,” the Treasury said. “He has provided insight into his cybercrimes in media interviews, disclosed exploit code to online criminals, and stated that his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia.”
Matveev drew attention last year for increasingly erratic behavior as cybersecurity researchers and journalists uncovered details that linked him to the Babuk group, which had its ransomware source code leaked online in 2021 and spawned multiple imitators.
In an interview published by The Record in August 2022, Matveev confirmed that he used the aliases Babuk, BorisElcin, unc1756 and Orange, in addition to Wazawaka. Journalist Brian Krebs had reported that he was Orange, founder of RAMP, a ransomware-focused darknet forum.
Babuk launched a string of ransomware attacks in early 2021 but in April of that year said it was switching to data theft and digital extortion after claiming it stole more than 250GB of data from Washington, D.C.’s Metropolitan Police Department.
In the interview published by The Record, Matveev told Dmitry Smilyanets, director of product management at Recorded Future, that he “did not carry out this attack” and instead a Babuk affiliate had “carried out the attack in its entirety.”
Read more: An interview with initial access broker Wazawaka: 'There is no such money anywhere as there is in ransomware'
According to the Department of Justice, “Matveev and his Babuk coconspirators allegedly deployed Babuk against the Metropolitan Police Department.” Prosecutors also accused him of deploying LockBit ransomware against a New Jersey law enforcement agency in June 2020, and Hive ransomware “against a nonprofit behavioral healthcare organization” in May 2022.
OFAC’s announcement says Matveev is 31 years old and resides in Kaliningrad. His identifying features include a missing finger on his left hand, which he claims to have severed himself after losing a bet.
Image: Mikhail Matveev
The U.S. agency has issued a steady stream of sanctions against Russian companies and citizens since the beginning of the country’s invasion of Ukraine last year. Recent designees include entities connected to cybersecurity and disinformation operations, and companies involved with cryptomining.
OFAC designations forbid companies and people within the U.S. from doing business with listed entities and block their access to property on U.S. soil. In many cases, the sanctions are largely symbolic, given that Russia-based entities are unlikely to do business in the U.S.
In the interview published by The Record, Matveev said he’s lived an “ordinary life” in Russia and has never been approached by law enforcement. “Unlike the Americans, the FSB doesn't put up on their website portraits to say, look, I'm watching Most Wanted Cyber,” he said. “It is not clear to me what the Americans want to achieve.”
Joe Warminsky is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.